How is CVE-2026-25861 exploited?

Network reachability (required): The attacker must reach the QloApps service over the network to obtain or interact with stored MD5 password hashes. Authentication (not-required): No credentials are needed; the attacker can target the hashing weakness without an existing account. Victim interaction (not-required): No user action is needed; the attacker works offline against previously obtained hashes. Attack complexity (info): Attack complexity is high due to environmental factors such as needing access to the hash database, though once hashes are obtained, the weak MD5 algorithm makes cracking straightforward, especially against the auto-generated 8-character passwords.

What is the impact of CVE-2026-25861?

Attacker recovers plaintext passwords for registered users and guest-converted customer accounts from the MD5 hash database. Recovered credentials enable full account takeover, exposing stored personal data, booking history, and payment references tied to each account. Auto-generated 8-character passwords assigned during guest-to-customer conversion are trivially cracked, widening the pool of compromised accounts.

Back to search

HIGHCVE-2026-25861Published 2026-06-02Modified 2026-06-03CNA VulnCheck

CVE-2026-25861: QloApps 1.7.0 Weak Password Hashing via MD5 in Tools.php

QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt() function within classes/Tools.php, which concatenates a static cookie key with the supplied password. Attackers can perform offline brute-force attacks against the MD5 hashes, with the risk compounded by auto-generated 8-character passwords assigned during guest-to-customer account conversion in classes/Customer.php, making credential recovery trivial.

CVSS v4.0: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Weak password hashing using MD5 in QloApps through version 1.7.0 exposes stored user credentials to offline brute-force attacks. The vulnerability is reachable over the network without any authentication, and an attacker who obtains the password hash database can crack credentials offline. Successful exploitation gives the attacker plaintext user passwords, enabling account takeover. No official fix version has been published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-25861 is available across every HarborGuard environment - the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that package QloApps. Any image running QloApps at or below version 1.7.0 is flagged automatically.

Available

Triage

Triage is available with a CVSS v4.0 score of 8.2 (HIGH), weighted against each environment's compliance policy to prioritize findings appropriately. Routed alerts are directed to the correct team inbox inside each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available as soon as the upstream maintainers ship a released fix. In the interim, customers can use HarborGuard's policy controls to flag or block deployment of images containing the affected QloApps version.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the QloApps service over the network to obtain or interact with stored MD5 password hashes.
AuthenticationNot required
No credentials are needed; the attacker can target the hashing weakness without an existing account.
Victim interactionNot required
No user action is needed; the attacker works offline against previously obtained hashes.
Attack complexityDetail
Attack complexity is high due to environmental factors such as needing access to the hash database, though once hashes are obtained, the weak MD5 algorithm makes cracking straightforward, especially against the auto-generated 8-character passwords.

Blast Radius

Attacker recovers plaintext passwords for registered users and guest-converted customer accounts from the MD5 hash database.
Recovered credentials enable full account takeover, exposing stored personal data, booking history, and payment references tied to each account.
Auto-generated 8-character passwords assigned during guest-to-customer conversion are trivially cracked, widening the pool of compromised accounts.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-25861 is active and will flag any image running QloApps 1.7.0 or earlier as soon as it appears in a customer registry or CI pipeline scan. Because no released fix version exists upstream yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is published. Where compliance policy permits, customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention. In the meantime, compensating controls available through HarborGuard include network-policy isolation to restrict access to the QloApps instance, egress filtering to limit lateral movement from a compromised host, and deployment-block policies to prevent new rollouts of images carrying the vulnerable version. Customers can also reference the upstream commit 64e9722 to evaluate a manual patch against their own base image.

See how HarborGuard automates this

Affected packages

QloApps / QloApps
≤ 1.7.0 · 64e9722e7e6a8fda77dd53964d988fb6b5c3d174

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified